At a glance.
- Hackers fill shopping cart with supermarket employee data.
- Critics question CFPB's response to recent data breach.
- Could corporate use of ChatGPT violate the GDPR?
Hackers fill shopping cart with supermarket employee data.
CBS News reports that a data breach at US grocery chain Jewel-Osco has potentially compromised the data of thousands of employees. Based in the US state of Illinois, the supermarket serves the Chicago metropolitan area. Parent company Albertsons sent a letter to Jewel-Osco employees last week explaining that the attackers infiltrated Albertsons’ internal computer systems last December and made off with data including employee names, dates of birth, and Social Security numbers. Albertsons has not disclosed exactly how many employees were affected, but says the leak has been contained.
Critics question CFPB’s response to recent data breach.
As we saw last week, in February a former employee of the US Consumer Financial Protection Bureau (CFPB) leaked the confidential data of 256,000 consumers and forty-five financial institutions by forwarding the info to a personal email account. Although the breach occurred nearly two months ago, the bureau says it has not yet notified the affected consumers. According to a CFPB spokesperson, the bureau is still working with the affected financial institutions to identify the compromised individuals. The CFPB informed lawmakers about the breach on March 21, but it wasn’t until mid-April that the breach was shared with news outlets. What’s more, it’s still unclear exactly how much harm the leak might have caused or whether the employee at fault has been arrested. The irony of an agency designed to protect consumers being the source of a data leak – and then being tight-lipped about the details – has not been lost on industry experts. Todd Zywicki, a law professor at George Mason University and senior fellow at the Cato Institute, told American Banker, "To sit on it for this long, and to withhold from both consumers and the affected firms that this happened and then simply dismiss it was anything important and don't worry about it — it is hard to imagine the CFPB would be okay if some private company did that.” Lucy Morris, a partner at Hudson Cook and a former CFPB deputy enforcement director added, "Just like they expect companies to fully identify and remediate errors, they should do the same." Two Republican senators have called for CFPB Director Rohit Chopra to share more information about the breach – particularly about remediation efforts – at a staff briefing by May 8, and it’s possible that Chopra could be called to testify at a congressional hearing.
Could corporate use of ChatGPT violate the GDPR?
ChatGPT has been making headlines over growing concerns regarding how the platform handles user data, and now experts say certain applications of the artificial intelligence-powered chatbot could violate the EU’s General Data Protection Regulation (GDPR). There have already been several reported incidents of employees using ChatGPT to assist with business activities, and in doing so, some workers have submitted confidential corporate or client information to the platform. As Computer Weekly explains, ChatGPT uses user-submitted data to train the technology, which means it’s possible this corporate info could be regurgitated in response to a future user’s query. This could lead to the exposure of confidential company intellectual property or even private client or patient data. Italy’s data protection regulator has banned ChatGPT until its developers divulge exactly how user data are handled and ensure that users have the option to delete their submitted data, but when it comes to protecting corporate data, it’s unclear whether these steps will be enough. To be on the safe side, employers would be wise to assume that what happens in ChatGPT doesn’t stay in ChatGPT. As such, it's recommended that companies train employees on the safe use of AI tech, revise confidentiality agreements to include the use of such platforms, and never input software code or sensitive internal data.